On Wed July 15 2009, Dr. Stephen Henson wrote: > On Wed, Jul 15, 2009, tito wrote: > > > thank you for replying.. > > > > This is what I can conclude from the inputs i got. > > > > 1. Mozilla has no way to lock/disable the private key export when we export > > the certificate. > > > > 2. I would have to trust my agents/or write in contract , that he will not > > use the certificate other than the designated PC where the request for the > > certificate was done. > > > > If anyone is having any other opinions about it.Please let me know. Thanks a > > lot. > > > > It seems your threat model is only against a non-tech savvy user. MSIE > unexportable private keys can be exported if you know how and even if you > could enforce greying out of the Mozilla export option the certificate and key > database files are easily backed up anyway. > > A possibility would be to use a PKCS#11 soft-token which wont export keys. I'm > not aware of any such thing but it could be done. It would need to encrypt > it's key database in such a way that it would only work on one PC. > > Again a knowledgeable user could easily bypass that and nothing short of a > hardware token would help against that. >
You can approximate that by grabbing the processor's silicon serial number plus grab the USB stick's silicon serial number plus a user input (partial) passphrase. Combine the three in any way you wish and submit to stock software as the full passphrase. I.E: The files can't be copied to a different USB device (and still work); The USB device must be installed on the same computer; The user must provide the "secret" part of the passphrase. Not as good as a device engineered to secure information, but "hard" enough to be safe from compromise by the casual user. Two problem areas here: Not all systems have hardware drivers that allow you to access those unique silicon serial numbers from user-space. Not all processors have the silicon serial number feature and have it enabled. Mike > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
